In association with heise online

D.I.Y.

For developers who write their own exploits, the framework provides some help. Although this part of the framework is not so fully documented and therefore cannot be accessed that easily, existing code provides some orientation when creating your own exploits. The underlying MSF infrastructure has also been written in Perl, supported by C and Python modules. Those who have some basic knowledge of the Perl language, should have no problem creating a socket to connect to the target system specified with RHOST and RPORT, for instance, by using

my $sock =
Msf::Socket::Tcp->new(
'PeerAddr' =>$targetHost,
'PeerPort' => $targetPort, );

Since most basic functions are available, the development work is reduced significantly. From sockets to network protocols and attack strings - the framework provides functions for all aspects of an exploit.

The available exploits with their detailed documentation also provide a good basis for one's own experiments. For instance, the WMF exploit, where a local Web server delivers special WMF files, could be used to create an exploit for a new vulnerability in the handling of HTTP headers in a Web browser, with only two or three lines of Perl code.

The MSF also provides some scripts that help to detect and analyze security holes in applications. For example, PatternCreate() creates an easily identifiable string which is handed over to a function where a buffer overflow occurs. The exploit developer can use a debugger to determine which part of the string has overwritten the return address; the script patternOffset.pl provides the respective offset. This way, the attacker is able to control the process of overwriting the return address.

MSFpescan detects certain command sequences in files available in the Portable Executable format (PE) for Windows; MSFelfscan does the same for the ELF files for Linux. Background: In case of a buffer overflow, it is often necessary to borrow certain commands from DLLS or ELF files already shown in the address space of the vulnerable process in order to access its own machine code. The opcode database provided by the developers under 2 is a particularly convenient tool to find such commands, although only values for English and French Windows versions have been provided so far.

The framework also provides support for shellcode developers. Shellcode consists of Assembler commands written directly into the memory of the target system, which is often extremely difficult to do, since, on the one hand, the space for the payload is mostly limited to a few hundred bytes, and, on the other hand, the attacker must avoid reserved byte sequences to prevent the shellcode from being changed on its way into the target system. With its msfencode script, MSF simplifies the effort search enormously: The developer defines what the payload should do, what system it runs on, and what byte sequences are taboo; then the framework tries to build a shellcode based on these specifications.

The framework also addresses another difficulty for shellcode developers: in most cases, the exploit developer does not know the exact "landing" address for his code to be used for the attack. Therefore, he builds a kind of "slide", into which the processor jump and from where it then simply slips through to the actual shellcode. The simplest version of such "NOP sleds" (or slides) is a sled consisting of NOP commands (0x90, No Operation) that instruct the processor to cease operations for one clock cycle and then continue with the next command.

However, this is very conspicuous. Even the sleepiest IDS will wake up when a large number of NOPs go through the line. Therefore the framework also provides various "NOP sled encoders", whose sleds are constructed to allow the CPU to access any place and find valid code, without, however, changing any relevant data.

Bottom line

Even with the Metasploit Framework the aspiring hacker will still need some knowledge of cryptic Assembler commands and lengthy jump addresses at least if he wants to use more than the ready-made exploits. The universal "point & click root" tool remains a dream of script kids. However, the Metasploit Framework strengthens a trend that has been observed for a while: the time spans between the publication of a security hole and the first exploits to use this hole are getting shorter and shorter.

And Metasploit is certainly not the end of the line. Core Impact and Immunity Canvas are two similar products for security professionals with a sufficient budget. Paid and registered users receive suitable exploit modules for vulnerabilities, often before these holes are published.

For security newbies, the Metasploit Framework offers interesting insights into exploit development. Professionals, on the other hand, can use the framework to save gruelling, recurring routine work, since it provides modular and reusable codes for routine tasks or, as is the case for the shellcode encoder, it helps to avoid time-consuming, trial-and-error experiments.

However, the framework should only be "tried out" on your own system or if system owners have given their permission to do so. While a port scan may be deemed impolite, but not criminal, any attempt to infect a system with an exploit is a criminal act.

At present, developers are working on version 3.0 of the framework written in Ruby rather than Perl. On the project mailing list, the developers have announced that the integrated scan functions shall also be enhanced a step towards a universal security tool, offering everything from vulnerability detection to exploits. According to the announcement, the release shall be available early next year. (ju)

Literature

[1] Homepage of the Metasploit project
[2] Opcode database

Print Version | Permalink: http://h-online.com/-747169
  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit
 


  • July's Community Calendar





The H Open

The H Security

The H Developer

The H Internet Toolkit